-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rgw: Give useful errors when policies fail to parse #49395
rgw: Give useful errors when policies fail to parse #49395
Conversation
Unused using, confusing indentation, bracing. Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
32f01dd
to
f0a38b1
Compare
oh, this is amazing; @adamemerson is this potentially backportable to our test fix branch? |
It would be much nicer to give people an idea why their policies are failing rather than just telling them where they're failing. Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
Reject policies with invalid principals by default and provide more useful error messages while doing so. (Log them but do *not* reject the policy if it's set to false.) Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
This affects the various create/put operations that take a policy document. Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
rgw-policy-check - a program to do syntax checking on bucket policy. This program just reads the policy into memory, so it is not checking anything except syntax. Signed-off-by: Marcus Watts <mwatts@redhat.com> rgw: Fix return value of `rgw-policy-check` Signed-off-by: Adam C. Emerson <aemerson@redhat.com> rgw: Use ceph initialization in `rgw-policy-check` Specifically so we can pull in the options from `ceph.conf` and similar. Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
f0a38b1
to
2886431
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the policy checker, together with human-readable error reporting from the parser, make the foundation for an IAM semantic error checker. I'm really glad we were able to do this
Looks like none of the test failures are policy related, just multisite, tempest, and AMQP. |
This gives useful error messages when policies fail to parse and adds an option that (when true) will reject policies with invalid principals rather than logging them and moving on.
We can now get error messages like:
Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "pacific"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
Checklist
Show available Jenkins commands
jenkins retest this please
jenkins test classic perf
jenkins test crimson perf
jenkins test signed
jenkins test make check
jenkins test make check arm64
jenkins test submodules
jenkins test dashboard
jenkins test dashboard cephadm
jenkins test api
jenkins test docs
jenkins render docs
jenkins test ceph-volume all
jenkins test ceph-volume tox
jenkins test windows